[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test
URL: https://github.com/freeipa/freeipa/pull/399 Author: dkupka Title: #399: Certificate mapping test Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/399/head:pr399 git checkout pr399 From 8fa8a3e8d3c9532d2cb53b0cc3b75705fd9ad87b Mon Sep 17 00:00:00 2001 From: David KupkaDate: Wed, 1 Feb 2017 11:36:32 +0100 Subject: [PATCH 01/10] tests: tracker: Split Tracker into one-purpose Trackers There are multiple types of entries and objects accessible in API and not all of them have the same set methods. Spliting Tracker into multiple trackers should reflect this better. --- ipatests/test_xmlrpc/tracker/base.py | 285 +-- 1 file changed, 172 insertions(+), 113 deletions(-) diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py index aa88e6b..8b6e97e 100644 --- a/ipatests/test_xmlrpc/tracker/base.py +++ b/ipatests/test_xmlrpc/tracker/base.py @@ -15,61 +15,7 @@ from ipatests.util import Fuzzy -class Tracker(object): -"""Wraps and tracks modifications to a plugin LDAP entry object - -Stores a copy of state of a plugin entry object and allows checking that -the state in the database is the same as expected. -This allows creating independent tests: the individual tests check -that the relevant changes have been made. At the same time -the entry doesn't need to be recreated and cleaned up for each test. - -Two attributes are used for tracking: ``exists`` (true if the entry is -supposed to exist) and ``attrs`` (a dict of LDAP attributes that are -expected to be returned from IPA commands). - -For commonly used operations, there is a helper method, e.g. -``create``, ``update``, or ``find``, that does these steps: - -* ensure the entry exists (or does not exist, for "create") -* store the expected modifications -* get the IPA command to run, and run it -* check that the result matches the expected state - -Tests that require customization of these steps are expected to do them -manually, using lower-level methods. -Especially the first step (ensure the entry exists) is important for -achieving independent tests. - -The Tracker object also stores information about the entry, e.g. -``dn``, ``rdn`` and ``name`` which is derived from DN property. - -To use this class, the programer must subclass it and provide the -implementation of following methods: - - * make_*_command -- implementing the API call for particular plugin - and operation (add, delete, ...) - These methods should use the make_command method - * check_* commands -- an assertion for a plugin command (CRUD) - * track_create -- to make an internal representation of the - entry - -Apart from overriding these methods, the subclass must provide the -distinguished name of the entry in `self.dn` property. - -It is also required to override the class variables defining the sets -of ldap attributes/keys for these operations specific to the plugin -being implemented. Take the host plugin test for an example. - -The implementation of these methods is not strictly enforced. -A missing method will cause a NotImplementedError during runtime -as a result. -""" -retrieve_keys = None -retrieve_all_keys = None -create_keys = None -update_keys = None - +class BaseTracker(object): _override_me_msg = "This method needs to be overridden in a subclass" def __init__(self, default_version=None): @@ -78,8 +24,6 @@ def __init__(self, default_version=None): self._dn = None self.attrs = {} -self.exists = False - @property def dn(self): """A property containing the distinguished name of the entry.""" @@ -138,53 +82,33 @@ def make_command(self, name, *args, **options): return functools.partial(self.run_command, name, *args, **options) def make_fixture(self, request): -"""Make a pytest fixture for this tracker +"""Make fixture for the tracker -The fixture ensures the plugin entry does not exist before -and after the tests that use it. +Don't do anything here. """ -del_command = self.make_delete_command() -try: -del_command() -except errors.NotFound: -pass - -def cleanup(): -existed = self.exists -try: -del_command() -except errors.NotFound: -if existed: -raise -self.exists = False - -request.addfinalizer(cleanup) - return self -def ensure_exists(self): -"""If the entry does not exist (according to tracker state), create it -""" -if not self.exists: -
[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test
URL: https://github.com/freeipa/freeipa/pull/399 Author: dkupka Title: #399: Certificate mapping test Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/399/head:pr399 git checkout pr399 From 11ac9cfa85cee324be81bc6dacf2b757f1933d9a Mon Sep 17 00:00:00 2001 From: David KupkaDate: Wed, 1 Feb 2017 11:36:32 +0100 Subject: [PATCH 1/8] tests: tracker: Split Tracker into one-purpose Trackers There are multiple types of entries and objects accessible in API and not all of them have the same set methods. Spliting Tracker into multiple trackers should reflect this better. --- ipatests/test_xmlrpc/tracker/base.py | 285 +-- 1 file changed, 172 insertions(+), 113 deletions(-) diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py index aa88e6b..8b6e97e 100644 --- a/ipatests/test_xmlrpc/tracker/base.py +++ b/ipatests/test_xmlrpc/tracker/base.py @@ -15,61 +15,7 @@ from ipatests.util import Fuzzy -class Tracker(object): -"""Wraps and tracks modifications to a plugin LDAP entry object - -Stores a copy of state of a plugin entry object and allows checking that -the state in the database is the same as expected. -This allows creating independent tests: the individual tests check -that the relevant changes have been made. At the same time -the entry doesn't need to be recreated and cleaned up for each test. - -Two attributes are used for tracking: ``exists`` (true if the entry is -supposed to exist) and ``attrs`` (a dict of LDAP attributes that are -expected to be returned from IPA commands). - -For commonly used operations, there is a helper method, e.g. -``create``, ``update``, or ``find``, that does these steps: - -* ensure the entry exists (or does not exist, for "create") -* store the expected modifications -* get the IPA command to run, and run it -* check that the result matches the expected state - -Tests that require customization of these steps are expected to do them -manually, using lower-level methods. -Especially the first step (ensure the entry exists) is important for -achieving independent tests. - -The Tracker object also stores information about the entry, e.g. -``dn``, ``rdn`` and ``name`` which is derived from DN property. - -To use this class, the programer must subclass it and provide the -implementation of following methods: - - * make_*_command -- implementing the API call for particular plugin - and operation (add, delete, ...) - These methods should use the make_command method - * check_* commands -- an assertion for a plugin command (CRUD) - * track_create -- to make an internal representation of the - entry - -Apart from overriding these methods, the subclass must provide the -distinguished name of the entry in `self.dn` property. - -It is also required to override the class variables defining the sets -of ldap attributes/keys for these operations specific to the plugin -being implemented. Take the host plugin test for an example. - -The implementation of these methods is not strictly enforced. -A missing method will cause a NotImplementedError during runtime -as a result. -""" -retrieve_keys = None -retrieve_all_keys = None -create_keys = None -update_keys = None - +class BaseTracker(object): _override_me_msg = "This method needs to be overridden in a subclass" def __init__(self, default_version=None): @@ -78,8 +24,6 @@ def __init__(self, default_version=None): self._dn = None self.attrs = {} -self.exists = False - @property def dn(self): """A property containing the distinguished name of the entry.""" @@ -138,53 +82,33 @@ def make_command(self, name, *args, **options): return functools.partial(self.run_command, name, *args, **options) def make_fixture(self, request): -"""Make a pytest fixture for this tracker +"""Make fixture for the tracker -The fixture ensures the plugin entry does not exist before -and after the tests that use it. +Don't do anything here. """ -del_command = self.make_delete_command() -try: -del_command() -except errors.NotFound: -pass - -def cleanup(): -existed = self.exists -try: -del_command() -except errors.NotFound: -if existed: -raise -self.exists = False - -request.addfinalizer(cleanup) - return self -def ensure_exists(self): -"""If the entry does not exist (according to tracker state), create it -""" -if not self.exists: -
[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test
URL: https://github.com/freeipa/freeipa/pull/399 Author: dkupka Title: #399: Certificate mapping test Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/399/head:pr399 git checkout pr399 From cd72d4375c7a5b6d590b85cbe2ce0f049aa29d42 Mon Sep 17 00:00:00 2001 From: Florence Blanc-RenaudDate: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH 1/9] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 184 +++ VERSION.m4 | 4 +- install/share/73certmap.ldif | 17 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 4 + ipapython/dn.py| 9 + ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 174 +- ipaserver/plugins/certmap.py | 357 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 +++ 15 files changed, 843 insertions(+), 11 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..a87fec1 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example @@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S dn:
[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test
URL: https://github.com/freeipa/freeipa/pull/399 Author: dkupka Title: #399: Certificate mapping test Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/399/head:pr399 git checkout pr399 From 29767acc613c28711db5383c5a3b266f69316188 Mon Sep 17 00:00:00 2001 From: David KupkaDate: Fri, 13 Jan 2017 13:17:35 +0100 Subject: [PATCH 1/3] test_xmlrpc: tracker: Add enable and disable methods to tracker Prepare tracker for easier testing of *-{en,dis}able commands. --- ipatests/test_xmlrpc/tracker/base.py | 26 ++ 1 file changed, 26 insertions(+) diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py index aa88e6b..d8cd3a6 100644 --- a/ipatests/test_xmlrpc/tracker/base.py +++ b/ipatests/test_xmlrpc/tracker/base.py @@ -198,6 +198,14 @@ def make_update_command(self, updates): """Make function that modifies the entry using ${CMD}_mod""" raise NotImplementedError(self._override_me_msg) +def make_enable_command(self): +"""Make function that enables the entry using ${CMD}_enable""" +raise NotImplementedError(self._override_me_msg) + +def make_disable_command(self): +"""Make function that disables the entry using ${CMD}_disable""" +raise NotImplementedError(self._override_me_msg) + def create(self): """Helper function to create an entry and check the result""" self.track_create() @@ -285,3 +293,21 @@ def update(self, updates, expected_updates=None): def check_update(self, result, extra_keys=()): """Check the plugin's `mod` command result""" raise NotImplementedError(self._override_me_msg) + +def enable(self): +command = self.make_enable_command() +result = command() +self.check_enable(result) + +def check_enable(self, result): +"""Check the plugin's `enable` command result""" +raise NotImplementedError(self._override_me_msg) + +def disable(self): +command = self.make_disable_command() +result = command() +self.check_disable(result) + +def check_disable(self, result): +"""Check the plugin's `disable` command result""" +raise NotImplementedError(self._override_me_msg) From 7cf43ea8033694b9c20625cb3015c2cb8755fef2 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Fri, 13 Jan 2017 13:22:45 +0100 Subject: [PATCH 2/3] test: certmap: Add basic tests for certmaprule commands. https://fedorahosted.org/freeipa/ticket/6542 --- ipatests/test_xmlrpc/objectclasses.py | 5 + ipatests/test_xmlrpc/test_certmap_plugin.py| 107 ipatests/test_xmlrpc/tracker/certmap_plugin.py | 167 + 3 files changed, 279 insertions(+) create mode 100644 ipatests/test_xmlrpc/test_certmap_plugin.py create mode 100644 ipatests/test_xmlrpc/tracker/certmap_plugin.py diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py index 1ea020b..0a15a21 100644 --- a/ipatests/test_xmlrpc/objectclasses.py +++ b/ipatests/test_xmlrpc/objectclasses.py @@ -227,3 +227,8 @@ u'top', u'ipaca', ] + +certmaprule = [ +u'top', +u'ipacertmaprule', +] diff --git a/ipatests/test_xmlrpc/test_certmap_plugin.py b/ipatests/test_xmlrpc/test_certmap_plugin.py new file mode 100644 index 000..9343f9a --- /dev/null +++ b/ipatests/test_xmlrpc/test_certmap_plugin.py @@ -0,0 +1,107 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +import itertools +import pytest + +from ipapython.dn import DN +from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test +from ipatests.test_xmlrpc.tracker.certmap_plugin import CertmapruleTracker + +certmaprule_create_params = { +u'cn': u'test_rule', +u'description': u'Certificate mapping and matching rule for test ' +u'purposes', +u'ipacertmapissuer': DN('CN=CA,O=EXAMPLE.ORG'), +u'ipacertmapmaprule': u'arbitrary free-form mapping rule defined and ' + u'consumed by SSSD', +u'ipacertmapmatchrule': u'arbitrary free-form matching rule defined ' +u'and consumed by SSSD', +u'associateddomain': u'example.org', +u'ipacertmappriority': u'1', +} + +certmaprule_update_params = { +u'description': u'Changed description', +u'ipacertmapissuer': DN('CN=Changed CA,O=OTHER.ORG'), +u'ipacertmapmaprule': u'changed arbitrary mapping rule', +u'ipacertmapmatchrule': u'changed arbitrary maching rule', +u'associateddomain': u'changed.example.org', +u'ipacertmappriority': u'5', +} + +certmaprule_optional_params = ( +'description', +'ipacertmapissuer', +'ipacertmapmaprule', +'ipacertmapmatchrule', +'ipaassociateddomain', +'ipacertmappriority', +) + +def
[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test
URL: https://github.com/freeipa/freeipa/pull/399 Author: dkupka Title: #399: Certificate mapping test Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/399/head:pr399 git checkout pr399 From cd72d4375c7a5b6d590b85cbe2ce0f049aa29d42 Mon Sep 17 00:00:00 2001 From: Florence Blanc-RenaudDate: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH 1/4] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt| 16 +- API.txt| 184 +++ VERSION.m4 | 4 +- install/share/73certmap.ldif | 17 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am| 1 + ipalib/constants.py| 4 + ipapython/dn.py| 9 + ipaserver/install/dsinstance.py| 1 + ipaserver/plugins/baseuser.py | 174 +- ipaserver/plugins/certmap.py | 357 + ipaserver/plugins/stageuser.py | 16 +- ipaserver/plugins/user.py | 23 ++- ipatests/test_ipapython/test_dn.py | 20 +++ 15 files changed, 843 insertions(+), 11 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..a87fec1 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) userdn = "ldap:///all;;) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example @@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S dn:
[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test
URL: https://github.com/freeipa/freeipa/pull/399 Author: dkupka Title: #399: Certificate mapping test Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/399/head:pr399 git checkout pr399 From bdd96f302520fd9cbef19d2b2716e8c29244750d Mon Sep 17 00:00:00 2001 From: David KupkaDate: Fri, 13 Jan 2017 13:17:35 +0100 Subject: [PATCH 1/3] test_xmlrpc: tracker: Add enable and disable methods to tracker Prepare tracker for easier testing of *-{en,dis}able commands. --- ipatests/test_xmlrpc/tracker/base.py | 26 ++ 1 file changed, 26 insertions(+) diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py index aa88e6b..d8cd3a6 100644 --- a/ipatests/test_xmlrpc/tracker/base.py +++ b/ipatests/test_xmlrpc/tracker/base.py @@ -198,6 +198,14 @@ def make_update_command(self, updates): """Make function that modifies the entry using ${CMD}_mod""" raise NotImplementedError(self._override_me_msg) +def make_enable_command(self): +"""Make function that enables the entry using ${CMD}_enable""" +raise NotImplementedError(self._override_me_msg) + +def make_disable_command(self): +"""Make function that disables the entry using ${CMD}_disable""" +raise NotImplementedError(self._override_me_msg) + def create(self): """Helper function to create an entry and check the result""" self.track_create() @@ -285,3 +293,21 @@ def update(self, updates, expected_updates=None): def check_update(self, result, extra_keys=()): """Check the plugin's `mod` command result""" raise NotImplementedError(self._override_me_msg) + +def enable(self): +command = self.make_enable_command() +result = command() +self.check_enable(result) + +def check_enable(self, result): +"""Check the plugin's `enable` command result""" +raise NotImplementedError(self._override_me_msg) + +def disable(self): +command = self.make_disable_command() +result = command() +self.check_disable(result) + +def check_disable(self, result): +"""Check the plugin's `disable` command result""" +raise NotImplementedError(self._override_me_msg) From b6ddcc0aaa69fcf6a17829af0385433550f3c363 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Fri, 13 Jan 2017 13:22:45 +0100 Subject: [PATCH 2/3] test: certmap: Add basic tests for certmaprule commands. https://fedorahosted.org/freeipa/ticket/6542 --- ipatests/test_xmlrpc/objectclasses.py | 5 + ipatests/test_xmlrpc/test_certmap_plugin.py| 107 ipatests/test_xmlrpc/tracker/certmap_plugin.py | 167 + 3 files changed, 279 insertions(+) create mode 100644 ipatests/test_xmlrpc/test_certmap_plugin.py create mode 100644 ipatests/test_xmlrpc/tracker/certmap_plugin.py diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py index 1ea020b..0a15a21 100644 --- a/ipatests/test_xmlrpc/objectclasses.py +++ b/ipatests/test_xmlrpc/objectclasses.py @@ -227,3 +227,8 @@ u'top', u'ipaca', ] + +certmaprule = [ +u'top', +u'ipacertmaprule', +] diff --git a/ipatests/test_xmlrpc/test_certmap_plugin.py b/ipatests/test_xmlrpc/test_certmap_plugin.py new file mode 100644 index 000..9343f9a --- /dev/null +++ b/ipatests/test_xmlrpc/test_certmap_plugin.py @@ -0,0 +1,107 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +import itertools +import pytest + +from ipapython.dn import DN +from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test +from ipatests.test_xmlrpc.tracker.certmap_plugin import CertmapruleTracker + +certmaprule_create_params = { +u'cn': u'test_rule', +u'description': u'Certificate mapping and matching rule for test ' +u'purposes', +u'ipacertmapissuer': DN('CN=CA,O=EXAMPLE.ORG'), +u'ipacertmapmaprule': u'arbitrary free-form mapping rule defined and ' + u'consumed by SSSD', +u'ipacertmapmatchrule': u'arbitrary free-form matching rule defined ' +u'and consumed by SSSD', +u'associateddomain': u'example.org', +u'ipacertmappriority': u'1', +} + +certmaprule_update_params = { +u'description': u'Changed description', +u'ipacertmapissuer': DN('CN=Changed CA,O=OTHER.ORG'), +u'ipacertmapmaprule': u'changed arbitrary mapping rule', +u'ipacertmapmatchrule': u'changed arbitrary maching rule', +u'associateddomain': u'changed.example.org', +u'ipacertmappriority': u'5', +} + +certmaprule_optional_params = ( +'description', +'ipacertmapissuer', +'ipacertmapmaprule', +'ipacertmapmatchrule', +'ipaassociateddomain', +'ipacertmappriority', +) + +def
[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test
URL: https://github.com/freeipa/freeipa/pull/399 Author: dkupka Title: #399: Certificate mapping test Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/399/head:pr399 git checkout pr399 From bdd96f302520fd9cbef19d2b2716e8c29244750d Mon Sep 17 00:00:00 2001 From: David KupkaDate: Fri, 13 Jan 2017 13:17:35 +0100 Subject: [PATCH 1/3] test_xmlrpc: tracker: Add enable and disable methods to tracker Prepare tracker for easier testing of *-{en,dis}able commands. --- ipatests/test_xmlrpc/tracker/base.py | 26 ++ 1 file changed, 26 insertions(+) diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py index aa88e6b..d8cd3a6 100644 --- a/ipatests/test_xmlrpc/tracker/base.py +++ b/ipatests/test_xmlrpc/tracker/base.py @@ -198,6 +198,14 @@ def make_update_command(self, updates): """Make function that modifies the entry using ${CMD}_mod""" raise NotImplementedError(self._override_me_msg) +def make_enable_command(self): +"""Make function that enables the entry using ${CMD}_enable""" +raise NotImplementedError(self._override_me_msg) + +def make_disable_command(self): +"""Make function that disables the entry using ${CMD}_disable""" +raise NotImplementedError(self._override_me_msg) + def create(self): """Helper function to create an entry and check the result""" self.track_create() @@ -285,3 +293,21 @@ def update(self, updates, expected_updates=None): def check_update(self, result, extra_keys=()): """Check the plugin's `mod` command result""" raise NotImplementedError(self._override_me_msg) + +def enable(self): +command = self.make_enable_command() +result = command() +self.check_enable(result) + +def check_enable(self, result): +"""Check the plugin's `enable` command result""" +raise NotImplementedError(self._override_me_msg) + +def disable(self): +command = self.make_disable_command() +result = command() +self.check_disable(result) + +def check_disable(self, result): +"""Check the plugin's `disable` command result""" +raise NotImplementedError(self._override_me_msg) From b6ddcc0aaa69fcf6a17829af0385433550f3c363 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Fri, 13 Jan 2017 13:22:45 +0100 Subject: [PATCH 2/3] test: certmap: Add basic tests for certmaprule commands. https://fedorahosted.org/freeipa/ticket/6542 --- ipatests/test_xmlrpc/objectclasses.py | 5 + ipatests/test_xmlrpc/test_certmap_plugin.py| 107 ipatests/test_xmlrpc/tracker/certmap_plugin.py | 167 + 3 files changed, 279 insertions(+) create mode 100644 ipatests/test_xmlrpc/test_certmap_plugin.py create mode 100644 ipatests/test_xmlrpc/tracker/certmap_plugin.py diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py index 1ea020b..0a15a21 100644 --- a/ipatests/test_xmlrpc/objectclasses.py +++ b/ipatests/test_xmlrpc/objectclasses.py @@ -227,3 +227,8 @@ u'top', u'ipaca', ] + +certmaprule = [ +u'top', +u'ipacertmaprule', +] diff --git a/ipatests/test_xmlrpc/test_certmap_plugin.py b/ipatests/test_xmlrpc/test_certmap_plugin.py new file mode 100644 index 000..9343f9a --- /dev/null +++ b/ipatests/test_xmlrpc/test_certmap_plugin.py @@ -0,0 +1,107 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +import itertools +import pytest + +from ipapython.dn import DN +from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test +from ipatests.test_xmlrpc.tracker.certmap_plugin import CertmapruleTracker + +certmaprule_create_params = { +u'cn': u'test_rule', +u'description': u'Certificate mapping and matching rule for test ' +u'purposes', +u'ipacertmapissuer': DN('CN=CA,O=EXAMPLE.ORG'), +u'ipacertmapmaprule': u'arbitrary free-form mapping rule defined and ' + u'consumed by SSSD', +u'ipacertmapmatchrule': u'arbitrary free-form matching rule defined ' +u'and consumed by SSSD', +u'associateddomain': u'example.org', +u'ipacertmappriority': u'1', +} + +certmaprule_update_params = { +u'description': u'Changed description', +u'ipacertmapissuer': DN('CN=Changed CA,O=OTHER.ORG'), +u'ipacertmapmaprule': u'changed arbitrary mapping rule', +u'ipacertmapmatchrule': u'changed arbitrary maching rule', +u'associateddomain': u'changed.example.org', +u'ipacertmappriority': u'5', +} + +certmaprule_optional_params = ( +'description', +'ipacertmapissuer', +'ipacertmapmaprule', +'ipacertmapmatchrule', +'ipaassociateddomain', +'ipacertmappriority', +) + +def
[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test
URL: https://github.com/freeipa/freeipa/pull/399 Author: dkupka Title: #399: Certificate mapping test Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/399/head:pr399 git checkout pr399 From b758cf15199a42a707c1028a29ec4772d24589eb Mon Sep 17 00:00:00 2001 From: Florence Blanc-RenaudDate: Tue, 20 Dec 2016 16:21:58 +0100 Subject: [PATCH 1/4] Support for Certificate Identity Mapping See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 --- ACI.txt | 16 +- API.txt | 154 + VERSION.m4| 4 +- install/share/73certmap.ldif | 17 ++ install/share/Makefile.am | 1 + install/updates/73-certmap.update | 27 +++ install/updates/Makefile.am | 1 + ipalib/constants.py | 2 + ipaserver/install/dsinstance.py | 1 + ipaserver/plugins/baseuser.py | 11 +- ipaserver/plugins/certmap.py | 345 ++ ipaserver/plugins/user.py | 173 ++- 12 files changed, 745 insertions(+), 7 deletions(-) create mode 100644 install/share/73certmap.ldif create mode 100644 install/updates/73-certmap.update create mode 100644 ipaserver/plugins/certmap.py diff --git a/ACI.txt b/ACI.txt index 0b47489..ec2eeca 100644 --- a/ACI.txt +++ b/ACI.txt @@ -40,6 +40,18 @@ dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || description || ipaenabledflag")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Modify CA ACL";allow (write) groupdn = "ldap:///cn=System: Modify CA ACL,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=caacls,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || hostcategory || ipacacategory || ipacertprofilecategory || ipaenabledflag || ipamemberca || ipamembercertprofile || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || usercategory")(targetfilter = "(objectclass=ipacaacl)")(version 3.0;acl "permission:System: Read CA ACLs";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Modify Certmap Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "cn || ipacertmappromptusername")(targetfilter = "(objectclass=ipacertmapconfigobject)")(version 3.0;acl "permission:System: Read Certmap Configuration";allow (compare,read,search) userdn = "ldap:///all;;) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Add Certmap Rules";allow (add) groupdn = "ldap:///cn=System: Add Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Delete Certmap Rules";allow (delete) groupdn = "ldap:///cn=System: Delete Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || description || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Modify Certmap Rules";allow (write) groupdn = "ldap:///cn=System: Modify Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) +dn: cn=certmaprules,cn=certmap,cn=ipa,cn=etc,dc=ipa,dc=example +aci: (targetattr = "associateddomain || cn || createtimestamp || description || entryusn || ipacertmapissuer || ipacertmapmaprule || ipacertmapmatchrule || ipacertmappriority || ipaenabledflag || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertmaprule)")(version 3.0;acl "permission:System: Read Certmap Rules";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Certmap Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=certprofiles,cn=ca,dc=ipa,dc=example @@ -337,6 +349,8 @@ aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:S dn: cn=users,cn=accounts,dc=ipa,dc=example aci: (targetattr = "krbprincipalkey || passwordhistory ||
[Freeipa-devel] [freeipa PR#399][synchronized] Certificate mapping test
URL: https://github.com/freeipa/freeipa/pull/399 Author: dkupka Title: #399: Certificate mapping test Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/399/head:pr399 git checkout pr399 From fb73c25fa30d0d374010cfc2245fbe60726f7389 Mon Sep 17 00:00:00 2001 From: David KupkaDate: Fri, 13 Jan 2017 13:17:35 +0100 Subject: [PATCH 1/2] test_xmlrpc: tracker: Add enable and disable methods to tracker Prepare tracker for easier testing of *-{en,dis}able commands. --- ipatests/test_xmlrpc/tracker/base.py | 26 ++ 1 file changed, 26 insertions(+) diff --git a/ipatests/test_xmlrpc/tracker/base.py b/ipatests/test_xmlrpc/tracker/base.py index aa88e6b..d8cd3a6 100644 --- a/ipatests/test_xmlrpc/tracker/base.py +++ b/ipatests/test_xmlrpc/tracker/base.py @@ -198,6 +198,14 @@ def make_update_command(self, updates): """Make function that modifies the entry using ${CMD}_mod""" raise NotImplementedError(self._override_me_msg) +def make_enable_command(self): +"""Make function that enables the entry using ${CMD}_enable""" +raise NotImplementedError(self._override_me_msg) + +def make_disable_command(self): +"""Make function that disables the entry using ${CMD}_disable""" +raise NotImplementedError(self._override_me_msg) + def create(self): """Helper function to create an entry and check the result""" self.track_create() @@ -285,3 +293,21 @@ def update(self, updates, expected_updates=None): def check_update(self, result, extra_keys=()): """Check the plugin's `mod` command result""" raise NotImplementedError(self._override_me_msg) + +def enable(self): +command = self.make_enable_command() +result = command() +self.check_enable(result) + +def check_enable(self, result): +"""Check the plugin's `enable` command result""" +raise NotImplementedError(self._override_me_msg) + +def disable(self): +command = self.make_disable_command() +result = command() +self.check_disable(result) + +def check_disable(self, result): +"""Check the plugin's `disable` command result""" +raise NotImplementedError(self._override_me_msg) From 0f5f8531edce915c02cabdcb215f0f2134b880a1 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Fri, 13 Jan 2017 13:22:45 +0100 Subject: [PATCH 2/2] test: certmap: Add basic tests for certmaprule commands. https://fedorahosted.org/freeipa/ticket/6542 --- ipatests/test_xmlrpc/objectclasses.py | 5 + ipatests/test_xmlrpc/test_certmap_plugin.py| 101 +++ ipatests/test_xmlrpc/tracker/certmap_plugin.py | 167 + 3 files changed, 273 insertions(+) create mode 100644 ipatests/test_xmlrpc/test_certmap_plugin.py create mode 100644 ipatests/test_xmlrpc/tracker/certmap_plugin.py diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py index 1ea020b..0a15a21 100644 --- a/ipatests/test_xmlrpc/objectclasses.py +++ b/ipatests/test_xmlrpc/objectclasses.py @@ -227,3 +227,8 @@ u'top', u'ipaca', ] + +certmaprule = [ +u'top', +u'ipacertmaprule', +] diff --git a/ipatests/test_xmlrpc/test_certmap_plugin.py b/ipatests/test_xmlrpc/test_certmap_plugin.py new file mode 100644 index 000..4086333 --- /dev/null +++ b/ipatests/test_xmlrpc/test_certmap_plugin.py @@ -0,0 +1,101 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +import pytest +import itertools + +from ipapython.dn import DN +from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test +from ipatests.test_xmlrpc.tracker.certmap_plugin import CertmapruleTracker + +certmaprule_create_params = { +u'cn': u'test_rule', +u'description': u'Certificate mapping and matching rule for test ' +u'purposes', +u'ipacertmapissuer': DN('CN=CA,O=EXAMPLE.ORG'), +u'ipacertmapmaprule': u'arbitrary free-form mapping rule defined and ' + u'consumed by SSSD', +u'ipacertmapmatchrule': u'arbitrary free-form matching rule defined ' +u'and consumed by SSSD', +u'associateddomain': u'example.org', +u'ipacertmappriority': u'1', +} + +certmaprule_update_params = { +u'description': u'Changed description', +u'ipacertmapissuer': DN('CN=Changed CA,O=OTHER.ORG'), +u'ipacertmapmaprule': u'changed arbitrary mapping rule', +u'ipacertmapmatchrule': u'changed arbitrary maching rule', +u'associateddomain': u'changed.example.org', +u'ipacertmappriority': u'5', +} + +certmaprule_optional_params = ( +'description', +'ipacertmapissuer', +'ipacertmapmaprule', +'ipacertmapmatchrule', +'ipaassociateddomain', +'ipacertmappriority', +) + +